Solved

Help with Security

Posted on 2001-07-11
13
136 Views
Last Modified: 2011-09-20
Can someone point me to some very good resources on designing win2k Security.  I need to limit access to resources over Terminal server connections.  Just looking for some step by step type examples on setting this up. Thanks
0
Comment
Question by:belink
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 12

Expert Comment

by:gidds99
Comment Utility
Here is a link to Microsofts guide to deploying TS

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

I will see what else I can find.

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
Comment Utility
Also here is Microsofts document on W2K Network Security

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

Are these documents the type of thing you are looking for?

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
Comment Utility
0
 
LVL 12

Expert Comment

by:gidds99
Comment Utility
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
Port 3389 in the terminal server port. Basically the best advice is to close as many ports & protocols as possible without totally disabling the required internet services.
-I use tcp/ip filtering in the advanced option of local area connection.
-http://www.softforces.com/ntbook.htm
http://www.sans.org/infosecFAQ/win2000/hardening.htm
0
 
LVL 10

Accepted Solution

by:
blohrer earned 50 total points
Comment Utility
What specific things are you looking to secure?  Desktop settings?  What options are available to you users?  

Like taking the shudown and restart options away from the users?

Or just how to limit the ports for users to access?  As said above the only port needed open for Terminal Services is 3389, unless you are going to run other services.

I have run W2k Terminal Servers over the internet for 100+ users.  If you are using Active Directory, one of the things I did was setup a Terminal Server OU (organizational unit).  I then modified the group policy on that OU to take things like on the start menu like, RUN, SETTINGS, Shutdown and restart away.  Made like alot easier!!!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Use ICA instead of RDP and they can't do much of anything.
0
 

Author Comment

by:belink
Comment Utility
Wow, Thanks for all the good input to everyone (Im obviously going to have to divy out points to more than one of you, 50 Each of course)

blohrer: You have hit my situation on the head.  I already have the router configured for port 3389 to route to my server.  I love your Idea about the OU.  Thats Probably what I will do.  I need to limit the Desktop settings and take things out of the start menu, Make it so they cannot see drives in My Computer, Things of that nature.  i knew I could use Group Policys to do this, But Im used to working with very small companies and the OU solution did not occur to me.  That seems like it would work.

mikecr: Could you give more detail (In other words, Im not sure what your talking about) I know that TS uses RDP but Im not familiar with ICA.

housenet: Thanks for the articles.  They have helped me learn more about 2000 Security but may be a little more than I need for this application. One Question, When you use the templates (As stated in the sans.org article)  If you apply a template to the machine (a win2k professional box in this case) does it affect ALL users, If not, How do you assign the template to just certain users.  Thanks for your input.

0
 
LVL 10

Expert Comment

by:blohrer
Comment Utility
No problem belink... I had the same situation.  Just becareful of one thing, if these users are both Term Server users, and local users with Windows2000 workstations, the group policy will be applied to both systems.  I didn't have this problem, but I would suggest if you do, two different logins for this type of user.  One for Terminal Server, and one for their local workstation.  
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-To view the distinctions between what are user policy settings & computer policy settings, I suggest this.
-Create OU's.
-The properties of an OU has a group policy tab. When you edit the group policy for an OU, the options are seperated by User & computer settings.
-If you Move a user into the OU & this user has read & apply GPO permissions for the policy..the user settings will apply to the user.
-The same applies for computers moved into OU's.


-You can even look at a PC's local policy by typing MMC in run.. Add the snap in for Group policy & choose the option for local policy.
-The basic point is.. When looking at a group policy object, user & computer settings are very obvious because of the way it is organized.
0
 
LVL 10

Expert Comment

by:blohrer
Comment Utility
Housenet... True but we have users here that will have a policy applied to them.  They MAY login to both a Terminal Server and (i am assuming) a regular Windows2000 PC.  The initial question how to secure a terminal server, taking away certain options.  Most of these options are on the user level.  So if a user needs to be secured on a terminal server (e.g. take away the run start menu item so they can't have access to the local drives via a command prompt) the user policy would also extend to their W2K network machine.

0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
blohrer sounds good to me.
0
 

Author Comment

by:belink
Comment Utility
In Respone, blohrer, The users will only be logging LOCALLY into a win2k Pro box that is not a part of a domain, (just a workstation No server).  They will then initiate a Terminal Server session to a remote TS, So I assume I would only need one logon on the Server side for this. I am going to experiment with this today and see what I can come up with.  Thanks again for the input.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now